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DETAILED ACTION 
Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which fornns the basis for 

all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Clainns 8-14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Ylonen et al (US 6,438,612 B1), and further In view of Moles et al (US 6,725,056 
B1). 

a. Referring to claim 8: 
i. Ylonen teaches: 

(1) at least one IP forwarder arranged to receive IP 
packets each of which is associated with a Security Association (SA), the at least one IP 
forwarder is further arranged to determine the destinations of the packets, and to 
forward the packets to their destinations [i.e., referring to Figure 3, for Ylonen's 
invention to be applicable we will assume that some arbitrary protocol (where IP 
forwarder could include In this protocol) exists for setting up a context for 
securely tunneling data packets from the transmitting device 301 through the 
connection 303 to the receiving device 302. As an example we will consider the 
IKE and IPSEC protocols mentioned previously. Setting up said context will then 
correspond to having a negotiation between the two devices, during which 
negotiation they will first authenticate themselves to each other and thereafter 
agree upon a shared secret, an authentication and/or encryption method to be 
used for the communication and on a security parameter index (SPI) value. The 
results of the negotiation will be locally stored at both devices, which is 
illustrated in FIG. 3 with the schematic memory blocks 304 and 305 (column 5, 
lines 56-67 through column 6, lines 1-2). In addition, Using the language of the 
IKE and IPSEC protocols, the result of the negotiation between the devices 301 
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and 302 is a security association (or a well-defined group of security 
associations) (column 6, lines 58-61)]; 

(2) a plurality of security procedure modules coupled to 
the IP forwarder(s) and arranged to implement security procedures for received IP 
packets in parallel [i.e., referring to Figures 6 & 7, it is possible to have in each 
physical computer device 601 only a single module 602 performing IPSEC 
processing, and to have e.g. all virtual routers 603a, 603b and 603c in a physical 
router share the same IPSEC module. In an alternative architecture according to 
FIG. 7 each virtual router 703a, 703b and 703c can have its own IPSEC processor 
702a, 702b and 702c, but the different processors have a shared data structure 
704 that they use for allocating SPI values (either by actually having a single store 
for SAs or SPIs, or by checking the SPIs used by every other virtual router before 
allocating an SPI value). In a third alternative architecture the range of possible 
SPI values may be partitioned so that the virtual router identifier is encoded into 
the SPI value (either in a fixed number of bits, or using any suitable arithmetic 
coding method to combine a virtual network identifier and a SPI index). 
Variations and intermediate forms of these architectures can also be used. When 
there are multiple IPSEC processing modules, and the SPI can be used to identify 
the IPSEC processing module, no explicit virtual network identifiers are needed 
(column 8, lines 46-66)]; and 

(3) a security controller arranged to allocate negotiated 
SAs amongst the security procedure modules and to notify the security procedure 
modules and the IP forwarder(s) of the allocation, whereby the at least one IP forwarder 
can send IP packets to the security procedure module implementing the associated SA 
[i.e., Figure 4 shows more detailed view of a transmitting device 401, a receiving 
device 402 and two-way communication connection 403 between them. Both the 
transmitting device 401 and the receiving device 402 have an automatic key 
manager block 404 and an IPSEC block 405 that communicate with a security 
policy database 406. We may keep the previously made assumption that the 



Application/Control Number: 09/864,593 
Art Unit: 2135 



Page 4 



automatic key manager blocks 404 apply the IKE protocol for setting up the 
security association (column 7, lines 18-26)]. 

ii. Although Ylonen does not explicitly mention about a security 
controller in Figures 3 and 4, the negotiation process that Ylonen has mentioned in 
these two Figures should at least include a controller included in the communication in 
order to establish an entire IP Security Association. However, Moles teaches: 

(1) Figure 4 illustrates in greater detail provisioning 
security controller 265 in accordance with one embodiment of Moles' invention. 
Exemplary provisioning security controller 265 comprises data processor 405 and 
memory 410, which contains storage space for data burst-IP packet conversion 
application program 415, incoming traffic channel data field 420, outgoing traffic channel 
data field 425, incoming IP packet data field 430, and outgoing IP packet data field 435 
(column 10, lines 19-27). 

iii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) have included a security controller in Ylonen's 
invention concerning the secure transmission of data packets in a network. 

iv. The ordinary skilled person would have been motivated to: 
(1) have included a security controller in Ylonen's 

invention since it is an object of the invention that it is applicable in the course of secure 
tunneling of data between virtual routers irrespective of the actual method of 
implementing the packet authentication and/or encryption (column 3, lines 52-55 of 
Ylonen). 

b. Referring to claims 9-11: 

i. These claims have limitations that is similar to those of claim 
12, thus they are rejected with the same rationale applied against claim 12 above. 

c. Referring to claim 12: 

i. Ylonen further teaches: 

(1) wherein the security controller is coupled to an 
Internet Key Exchange (IKE) module which is responsible for negotiating SAs with peer 
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IKE modules, and the security controller is arranged to receive from the IKE module 
details of negotiated Sas [i.e., Figure 4 is a sliglitly more detailed view of a 
transmitting device 401, a receiving device 402 and two-way communication 
connection 403 between them. Both the transmitting device 401 and the 
receiving device 402 have an automatic icey manager blocl< 404 and an IPSEC 
block 405 that communicate with a security policy database 406. We may keep 
the previously made assumption that the automatic key manager blocks 404 
apply the IKE protocol for setting up the security association Furthermore, once 
the negotiation between the automatic key managers 404 is complete and the new 
security association is set up, both the transmitting device and the receiving 
device enter the information describing the security association into their 
security policy database. The stored information is then used for the processing 
of individual packets (column 7, lines 18-51)]. 

d. Referring to claim 13: 

1. Moles further teaches: 

(1 ) wherein at least one of the at least one IP forwarder, 
security procedure modules, and/or security controller are implemented in software or in 
hardware, or In a combination of hardware and software [i.e., the term "controller" 
means any device, system or part thereof that controls at least one operation, 
such a device may be implemented in hardware, firmware or software, or some 
combination of at least two of the same (column 5, lines 15-18)]. 

e. Referring to claim 14: 

i. This claim consist a method of processing IP packets at a 
network networking device to implement claim 1 and is rejected by the same prior art of 
record. 

Conclusion 

3. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

a. Godwin et al (US 6, 505, 192 B1) discloses IPSec rules are 
searched in an improved manner to reduce processing overhead. For selected 
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connectionless protocols, packets are treated as if they were part of a simulated 
connection, (see abstract). 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Thanhnga (Tanya) Truong 
whose telephone number is 571 -272-3858. 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Kim Vu can be reached at 571-272-3859. The fax and 
phone numbers for the organization where this application or proceeding is assigned is 
703-872-9306. 

Any inquiry of a general nature or relating to the status of this 
application or proceeding should be directed to the receptionist whose telephone 
number is 571-272-2100. 



TBT 

February 1 9, 2005 
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